lix-project/lix
20
55
Fork 31
Code Issues 344 Code Review (Gerrit) Projects 3 Releases Wiki Activity

Tighten permissions on chroot directories

Browse source
This commit is contained in:
Eelco Dolstra 2015-03-24 11:35:53 +01:00
parent 6f0c6e20e0
commit 5ce50cd99e
1 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/libstore/build.cc
View file

@ -1838,6 +1838,12 @@ void DerivationGoal::startBuilder()
printMsg(lvlChatty, format("setting up chroot environment in %1%") % chrootRootDir); printMsg(lvlChatty, format("setting up chroot environment in %1%") % chrootRootDir);
if (mkdir(chrootRootDir.c_str(), 0750) == -1)
throw SysError(format("cannot create %1%") % chrootRootDir);
if (chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1)
throw SysError(format("cannot change ownership of %1%") % chrootRootDir);
/* Create a writable /tmp in the chroot. Many builders need /* Create a writable /tmp in the chroot. Many builders need
this. (Of course they should really respect $TMPDIR this. (Of course they should really respect $TMPDIR
instead.) */ instead.) */
@ -1874,8 +1880,12 @@ void DerivationGoal::startBuilder()
can be bind-mounted). !!! As an extra security can be bind-mounted). !!! As an extra security
precaution, make the fake Nix store only writable by the precaution, make the fake Nix store only writable by the
build user. */ build user. */
createDirs(chrootRootDir + settings.nixStore); Path chrootStoreDir = chrootRootDir + settings.nixStore;
chmod_(chrootRootDir + settings.nixStore, 01777); createDirs(chrootStoreDir);
chmod_(chrootStoreDir, 0730);
if (chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1)
throw SysError(format("cannot change ownership of %1%") % chrootStoreDir);
foreach (PathSet::iterator, i, inputPaths) { foreach (PathSet::iterator, i, inputPaths) {
struct stat st; struct stat st;